Launch Nexus using a self-signed x.509 certificate

[smklein]

Part of #249

This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent.

• The packaging system expects to find these certificates within ./out/certs, named cert.pem and key.pem.
• ./tools/create_self_signed_cert.sh is capable of creating a self-signed certificate.

[davepacheco]

This looks good. Two things:

• If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.
• I wonder if we should update the example config files and the simulated run instructions so that people are doing this in that workflow too. But that doesn't have to be in this PR!

[smklein]

This looks good. Two things:

• If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.

The packaging tools complain when constructing the Nexus zone image - so it is not a runtime failure. I wanted to make the certificates mandatory for running in "real" nexus to make it very difficult to "not have them at runtime, somehow".

• I wonder if we should update the example config files and the simulated run instructions so that people are doing this in that workflow too. But that doesn't have to be in this PR!

Sounds good

[davepacheco]

This looks good. Two things:

• If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.

The packaging tools complain when constructing the Nexus zone image - so it is not a runtime failure. I wanted to make the certificates mandatory for running in "real" nexus to make it very difficult to "not have them at runtime, somehow".

Sounds good. I was worried because I didn't see anything in this PR that would obviously fail in that case.

[augustuswm]

This location is will change eventually as a some things get decoupled. Not to block this PR, but for future reference.

[smklein]

Thanks for the heads up. The flow for importing a non-self-signed cert is clearly half-baked; I needed to pull them manually.

Until we have a good authentication story for it, the manual approach seems better than something insecure, but I'd like to remedy that when we can.

[smklein]

This looks good. Two things:

• If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.

The packaging tools complain when constructing the Nexus zone image - so it is not a runtime failure. I wanted to make the certificates mandatory for running in "real" nexus to make it very difficult to "not have them at runtime, somehow".

Sounds good. I was worried because I didn't see anything in this PR that would obviously fail in that case.

Hrm... I realized, the thing we were actually checking for was the presence of a directory in out/certs. I've updated the packaging stuff to be more specific about the individual files.